Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

Thank you for signing in.

If this is your first time registering, please check your inbox for more information about the benefits of your Forbes account and what you can do next!

I agree to receive occasional updates and announcements about Forbes products and services. You may opt out at any time.

I'd like to receive the Forbes Daily Dozen newsletter to get the top 12 headlines every morning.

Forbes takes privacy seriously and is committed to transparency. We will never share your email address with third parties without your permission. By signing in, you are indicating that you accept our Terms of Service and Privacy Statement.

Hackers hope to have played their stolen cards right by asking $130 million on the Joker's Stash ... [+] dark market store

Getty Images for ReedPOP

There is no shortage of places within the internet's dark market where stolen credit and debit card information is sold. Most of them, truth be told, are criminal chancers trading in recycled data from old breaches; bargains are to be held for fraudsters willing to take a gamble that some of the bundle of payment cards they have bought will actually be usable. Then there is Joker's Stash where a stolen payment card database is on sale for $130 million (£101 million.)

What is Joker’s Stash?

What is Joker's Stash, do I hear you ask? Well, I'm not talking about the half a million Android devices the Joker malware is said to have infected, nor the $4.5 million (£3.5 million) smackers that Joaquin Phoenix is reported as having got paid for the role in the Joker movie either. Instead, Joker's Stash is well-known within cybercriminal circles as the most significant "carding" site, where payment card data is traded on the dark web.

Not only is it the biggest, but Joker's Stash, which was established in 2014, prides itself on traders selling the "freshest" of payment card details, those that come directly from a breach rather than being recycled. As a result, this compromised card data doesn't come cheap and is pitched firmly in the top tier as far as pricing is concerned.

The $130 million payday

On October 28, the compromised details of more than 1.3 million payments cards were put up for sale on the notorious dark market site, with an asking price of $100 (£78) per card. Yes, you did read that right; if the cybercriminals trading the payment card data sell the lot then that's an incredible $130 million (£101 million) payday. The security researchers who detected the card drop, thought that the card collection, courtesy of it containing magnetic stripe "track 2 data," was created by a network of ATM cash machine or point of sale skimming devices. The vast majority appear to be from customers of Indian banks.

Why so serious?

The only funny thing about Joker's Stash is that the volume of payment card data it offers for sale isn't all bad news. In fact, it could be quite helpful for those fighting fraud.

Business risk intelligence specialist, Flashpoint, has published a new analysis of Joker's Stash. Flashpoint's director of analysis and research, Ian Gray, along with research developer, Max Aliapoulios, have outlined why organizations need visibility into the card data from Joker's Stash, because of its size and positioning if they want to be in a position to best curtail any potential impact of a breach.

The report stated that fraud teams need to understand what payment card data is available, along with the timing of that availability, to help with the identification of the "common point of purchase" of the compromised card data. This is, the Flashpoint report said, the most reliable way that fraud teams can determine the source of a breach.

I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT

…

I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) I was also fortunate enough to be named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro called 'Threats to the Internet.' In 2011 I was honored with the Enigma Award for a lifetime contribution to IT security journalism. Contact me in confidence at davey@happygeek.com if you have a story to reveal or research to share.